My Firefox and computer infected

[Autumnleaves]

Hi!  I have a quick question and then my issue.  A relative's computer was scanned by Malwarebytes, found the Trojan floxif and then it said no action taken.  Does this mean their computer is okay?  The version of Ccleaner supposed to be infected wasn't in the download file any more when I checked it.

My computer was apparently infected by the Ccleaner Trojan Floxif also and even though I had Malwarebytes Premium installed it only discovered it in a scan in September.  My Firefox has been acting strangely - loading the wrong page when pulled up, hanging in my email account so I couldn't log out and in other secure sites as well where security could have been compromised.  Please help me rid my computer of all malware, malicious software, viruses, and fix any other problems.  I am attaching 3 scans.  I've also scanned with SUPERAntispyware and Microsoft Security Essentials.

I appreciate your attention to this matter. 

Thanks for you prompt reply,

Autumnleaves

 

Addition 1.txt

FRST 1.txt

mwb - report 10-18-17.txt

[Android8888]

Hello Autumnleaves and

My screen name is Android8888 but if you wish you can call me Rui which is my real name. I will be helping you with your malware issues. Please ask questions if anything is unclear.

Read all of my instructions very carefully because any mistake you can make during the cleaning process may have serious consequences such as leaving the computer unbootable.

Please Do NOT run any tools on your own or make any other changes to your computer and follow the directions in the order listed, otherwise you can worsen the situation rather than solve it.

Make sure to run all tools from the computer's Desktop and with Administrator privileges (i.e. right-click the tool icon and select Run as administrator).

Please run one scan at a time.

Once started the malware removal process has to be completed. Even if your computer appears to be running better after performing a first set of instructions, it may still be infected as some infections are difficult to remove and can leave remnants on the System. Please consider it clean and safe only when I declare it free of malware.

Before we start, and to answer your question:
When no action is taken over a threat, it means the infected item is still active on the computer, unless it has already been removed after that scan (e.g., by another tool). If Malwarebytes did not take any action over a threat, then you can send the item to quarantine. Once the threat is quarantined, it's no longer active on the system, i.e., it can't do any harm. You can also definitely remove it from quarantine.

Now I suggest printing out each set of instructions or copy them to a Notepad file and reading the entire post before proceeding. It will make following them easier.

Next,

Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

• Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST64.exe executable is located); DO NOT open or modify that file!
• Right-click on the FRST executable and select Run as Administrator;
• Click on the Fix button;
  
  Credits: Aura
• On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
• Please attach the Fixlog.txt in your next reply;
  

 

Next,

Please download Zemana AntiMalware and save it to your Desktop.

• Right-click on the icon and select Run as administrator to install the program.
• Click Yes to accept the UAC security warning that may appear.
• Select the language and click the OK button.
• Click the Next button, accept the EULA warning and follow the instructions to continue and install the program.
• Once the installation is complete it will start automatically. Wait a few seconds until the update of signature database is complete.
• Without changing any options, click Scan to begin.
• After the short scan is finished, if threats are detected click Next to remove them.
  Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
• Click on the Back button.
• On the top right corner click on Reports icon (the one with three bars) and double click on the latest report.
• Now click File > Save As, then choose your computer's Desktop and click the Save button.
• Please attach the saved report in your next reply.
  

 

Next,

• Download AdwCleaner and move it to your Desktop
• Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Accept the EULA (I accept), then click on Scan
• Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
  
  Credits: Aura
• Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
• After the restart, a log will open when logging in. Please attach that log in your next reply
  

Next,

• Download Junkware Removal Tool (JRT) and move it to your Desktop
• Right-click on JRT.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Press on any key to launch the scan and let it complete
  
  Credits: Bleeping Computer and Aura
• Once the scan is complete, a log will open. Please attach that log in your next reply
  

Next,

Please scan your computer with ESET Online Scanner.

• Click on this link to open ESET Online Scanner in a new window.
  
  1. Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop.
  2. Close all your programs and browsers and disconnect any USB flash drives from the computer.
  3. Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
  4. Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use.

• Check mark Download latest version of ESET Online Scanner and click the Accept button.
• Click Yes to accept any security warnings that may appear.
• Under Computer scan settings, check mark Enable detection of potentially unwanted applications.
• Then click Advanced settings and check mark the following options:
  
  • Enable detection of potentially unsafe applications
  • Clean threats automatically
    
• Click the Scan button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click List Threats.
• Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Click the Back button.
• Click the Finish button.
  

Note: If nothing is found, it will not produce a log.

Please re-enable your antivirus program.

In your next reply please attach:
Fixlog.txt;
Zemana log.
AdwCleaner clean log;
JRT.txt log;
ESET log (if it produced one).

I need to see those logs.

How is the computer running at this point?

Thank you.

Rui

fixlist.txt

[Autumnleaves]

Hello Android8888 and thank you for responding to my post.

I just finished following your instructions to run scans. 

I wanted to ask, if I saved my pictures and documents to a flash drive, moving and copying, do those flash drives and their contents need to be scanned or cleaned also?  Is there a way to make sure all the files and flash drives are clean?  Just wondering.

After the FRST fix my computer needed a reboot.  When I rebooted I got a message about changing my IE default home page.  If that is a part of the FRST fix please let me know.  When I opened the IE it said that IE changed my default home page because the other was corrupt but that message disappeared before I could get a screen shot or change anything.

When I did the ESET scan,  I checked the ones you said to check in the advanced section but unchecked the items which are automatically checked:  Enable detection of suspicious applications, Scan archives and Enable Anti-Stealth technology.  After the scan started, I thought maybe I should have left those options checked as well.  Please let me know if I need to do something further about this.  Also, this is the website for help for ESET that showed up when I clicked on the Help? button: support.eset.com /kb2921/ ?locale=en_EN with https and no spaces. 

  It has pictures, some instructions, and even a video.

Prior to these fixes I got the Apache Tomcat 404 page when trying to log into another site I used, which I hadn't mentioned before.  Previously the Firefox browser would open to a Restore session window and if you click on close it then goes to the default window.  I also noticed that something creates multiple shortcuts on my computer in various places.

I haven't tried to open Firefox since rebooting after finishing the scans.

Thank you,

Autumnleaves

AdwCleaner[S0] report.txt

ESETScan.txt

Fixlog.txt

JRT.txt

zemana log.txt

[Android8888]

Hello Autumnleaves and thank you for the logs.

 

9 hours ago, Autumnleaves said:

Hello Android8888 and thank you for responding to my post.

You're welcome.

 

To answer your question:
If someone gave you the flash drive, or if it has some new software on it, scan it immediately the first time you plug it in. You should scan it if you have reason to suspect that it was on an infected computer.
If you never did it, I strongly advise you to scan it at least once.

 

9 hours ago, Autumnleaves said:

Is there a way to make sure all the files and flash drives are clean?  Just wondering.

Yes there is, you can scan it with your resident Antivirus (Microsoft Security Essentials).
Microsoft Security Essentials: How to Scan Removable Drives

 

9 hours ago, Autumnleaves said:

After the FRST fix my computer needed a reboot.  When I rebooted I got a message about changing my IE default home page.  If that is a part of the FRST fix please let me know.  When I opened the IE it said that IE changed my default home page because the other was corrupt but that message disappeared before I could get a screen shot or change anything.

Yes, that was performed by the fixes. You can always set your Internet Explorer Home Page again.
How to Change Your Home Page in Internet Explorer

You should maintain those checked, run another scan with ESET and post the new log (if it produced one).

Are those new shortcuts located in your computer's Desktop? If so, they were most likely created by the tools we are using. We will delete them all after the clean-up.

 

Please post the new ESET log, then test all Internet browsers and programs and let me know in detail what issues or concerns are you still experiencing on this computer.

Thank you.

 

[Autumnleaves]

21 hours ago, Android8888 said:

Hello Autumnleaves and thank you for the logs.

You're welcome.  My replies are in italics within this quote.

To answer your question:
If someone gave you the flash drive, or if it has some new software on it, scan it immediately the first time you plug it in. You should scan it if you have reason to suspect that it was on an infected computer.
If you never did it, I strongly advise you to scan it at least once.

Yes there is, you can scan it with your resident Antivirus (Microsoft Security Essentials).
Microsoft Security Essentials: How to Scan Removable Drives

Yes, that was performed by the fixes. You can always set your Internet Explorer Home Page again.
How to Change Your Home Page in Internet Explorer

Thank you for all this information!  It is very helpful

You should maintain those checked, run another scan with ESET and post the new log (if it produced one).

Are those new shortcuts located in your computer's Desktop? If so, they were most likely created by the tools we are using. We will delete them all after the clean-up.

The shortcuts on the Desktop are okay.  My computer was randomly creating shortcuts and putting them within file folders which was odd, but I'd find them there, like Outlook, etc.

Please post the new ESET log, then test all Internet browsers and programs and let me know in detail what issues or concerns are you still experiencing on this computer.

Thank you.

Thank you for all the information.  The ESET scan said that no threats were found.  I still get a page for Firefox that says, "Well this is embarrassing" they can't recover the old links from the last session, even after the memory has supposedly been cleared.  There are 2 tabs that open on Firefox - one is the one I described and the other is a search page asking for monetary donations, which might be their legitimate page.  The site with the problem apache message still doesn't work, I will try to call them.  Other sites are a bit choppy on IE.  I haven't gone to my email site again yet, because the last time it hanged in Firefox and I couldn't log out in that browser and wanted to make sure all problems were cleared up first.

Thank you for your help with all of this.  Does my computer need further testing?  Is there another scan or something you would recommend?  If anything else comes up I will post again.  And thank you again!

Autumnleaves

 

 

[Android8888]

Hello Autumnleaves,

Thank you for the feedback.

Okay, I would like you to proceed as follows.

 

Clear the cache, cookies and history of all Internet browsers:

Internet Explorer
https://kb.wisc.edu/page.php?id=15141

Mozilla Firefox
https://kb.wisc.edu/helpdesk/page.php?id=17504

Google Chrome
https://support.google.com/accounts/answer/32050?hl=en

Next,

Reset all browsers settings to default:

Internet Explorer
https://support.microsoft.com/en-us/kb/923737

Mozilla Firefox
https://support.mozilla.org/en-US/kb/reset-preferences-fix-problems

Google Chrome
https://support.google.com/chrome/answer/3296214?hl=en

Test all browsers and let me know how are they working now. Are there any remaining issues or concerns? If so, please describe them in detail.

Thank you.

Android8888

 

[Autumnleaves]

Hello Android8888 (Rui)! 

Sorry I haven't replied earlier.  I have done the clearing of the cache and resetting of browsers.  I didn't delete preferences on Firefox (meaning bookmarks, etc.)

When I open Firefox sometimes I get a window that says, "well this is embarrassing - we can't remember your settings to reopen them" or something to that effect - I press the close button and then a default browser comes up.

When I clicked on a link yesterday, it took me to a bad site.  Hopefully that didn't cause more problems. 

Also, when I tried to update CCleaner from its message while in Ccleaner I got a foghorn sound that something couldn't be loaded or wasn't responding properly.  Then I tried to do it from a link in these forums, and that updated the program.  However, when I try to run the Ccleaner after closing Firefox and Internet Explorer I get the message that Internet Explorer is still open and do I want Ccleaner to close IE yes or no.  I don't know if this means my computer is still infected with something or that something is infected.

I haven't been sure if it is safe to do secure transactions on my computer yet. Most of the scans I have run seem to come up clean - the Malwarebytes, Microsoft Security Essentials, and Super Anti Spyware.

If you have any other suggestions, or want me to run something again or else, please let me know.

Thank you.

Autumnleaves

[Android8888]

Hello Autumnleaves,

Okay, please proceed as follow:

Please download RogueKiller_portable64.exe by Tigzy and save it to your computer Desktop.

• Now close all programs and Internet browsers and disconnect any USB or external drives from the computer before you run this scan!
• Right-click on the file RogueKiller_portable64.exeand select Run as administrator to start the tool.
• Click Yes to accept the User Account Control security warning that may appear.
• Once the tool is open, click the 'Scan' tab menu and the click the Start Scan button.
• Wait until the scan has finished. Note: This scan may take some time to complete;
• Warning: Do NOT remove any entry it found. They are not all bad and need to be carefully analysed.
• Once finished the results will be displayed. Click on the Open Report button. It will open a new window.
• Click Export TXT to export the report as a text file, give a name to the file such as RKlog.txt and save it to your computer Desktop.
• Close RogueKiller.
  

Please attach the RogueKiller log to your next reply.

Thank you.

Rui

[Autumnleaves]

Hello Rui,

Here is the Report from Roguekiller.

Thank you.

Autumnleaves
 

RKLog.txt

[Autumnleaves]

Hello Rui,

I'm sorry I forgot to mention this in the previous post, but sometimes it seems Ccleaner doesn't always remove the Windows and System Files and IE Temporary Internet files.

Sometimes they show up again after the scan, sometimes if I reboot the computer they are still there.

Thank you for your continued help.

Autumnleaves

 

[Android8888]

Hello Autumnleaves.

Follow the instructions below to completely remove CCleaner from your computer by using the Revo Portable version. Note: After removal DO NOT reinstall CCleaner yet. We will do that later.

Please download the free version of Revo Uninstaller Portable from here and save the compressed file to your computer's Desktop.

• Double-click the compressed file RevoUninstaller_Portable and extract the files within it (it will be created a folder with the same name);
• Within that folder, right-click the file RevoUPort and select Run as administrator to open the tool;
• Click Yes to accept the UAC security warning that may appear;
• Click OK to accept the License Agreement and Copyright;
• Select CCleaner and click Uninstall. Follow the instructions to complete the removal process;
• In 'Search Mode' set it to 'Advanced' and click on the Scan button. The tool will search for leftovers;
• Click on Select All and then on Delete and then Yes to delete the selected items;
  Note: You may have to repeat this step to delete all the leftovers (Registry items, files and folders);
• Click the Finish button and restart the computer to complete the removal process.
  

Next,

Delete the two old FRST.txt and Addition.txt logs.
Now re-run FRST, perform another scan and attach a new set of logs (FRST.txt and Addition.txt) for my review.

Thank you.

Rui

[Autumnleaves]

Hello Rui,

I removed Ccleaner with the Revo Uninstaller Portable.  It didn't find any remnants.

Here are the new FRST and Addition logs:

Thank you,

Autumnleaves

 

Addition.txt

FRST.txt

[Android8888]

Hello Autumnleaves.

There is nothing worrying in your logs. Just some tidy up.

Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

• Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST64.exe executable is located); DO NOT open or modify that file!
• Right-click on the FRST executable and select Run as Administrator;
• Click on the Fix button;
  
  Credits: Aura
• On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
• Please attach the Fixlog.txt in your next reply;
  

 

Next,

Please download the latest free version of CCleaner from here and re-install the program.

Run CCleaner again and use the Cleaner feature to remove Temporary Files, Cache, History and Cookies of your browsers. You need to press the Run Cleaner button to permanently delete all the items it finds. The Analyse button does not remove anything. Just find the items but does not remove them.

NOTE: I do NOT advise the use of the Registry Cleaner feature. Registry cleaners are extremely powerful applications and their potential for harming your Operating System far outweighs any small potential for improving your computer's performance.
I suggest you read more information about Registry cleaners here: https://blog.malwarebytes.com/cybercrime/2015/06/digital-snake-oil/

Now restart the computer.

How is the system running now? Any issues or concerns?

Thank you.

Rui

fixlist.txt

[Autumnleaves]

Hello Rui.

Okay, here is the fixlog.

I also downloaded and installed Ccleaner - the latest version and did the cleanings.  The first cleaning had around 21 million KB I think System Files that showed up to be deleted.  It also seems that the original versions of Ccleaner were not completely deleted from the download file by the RevoUPort. 

Anyway, I used my computer a bit and noticed that when I restore things from the recycle bin, it creates shortcuts of each of those items as well as restore the items. Also, when I used Firefox to try and do something it once again got stuck and did a hang in the middle of something, so I did logout of that without being able to do anything further. 

Then, just to see if I it was clean still, I ran my Malwarebytes and then I ran the original set of scans that you instructed above, most of which came out clean, except for the  JRT and Eset scans.  At the end of the Eset scan it said there were threats found I saved the report to txt file and then the only options there were Do not clean, Clean selected or Clean all.  I'm thinking maybe I should just click Clean All or Clean Selected at this point, and that perhaps Ccleaner still has unresolved issues.  

 Please advise as soon as possible about the Eset.

Thank you.

Autumnleaves

ESETScanunov3.txt

Fixlog.txt

JRT-1m.txt

[Autumnleaves]

Hello Rui.

Thank you again for everything. 

I found a page that claims to have Ccleaner without a bundled Google D toolbar here:

www . piriform . com / ccleaner / builds without any spaces.

I'm not sure how this would work with my computer, so I thought I'd mention it here and see what you think about it. Also if you have other suggestions and recommendations those would also be appreciated.

Thank you.

Autumnleaves

 

 

[Android8888]

You're very welcome!

 

4 hours ago, Autumnleaves said:

I found a page that claims to have Ccleaner without a bundled Google D toolbar here:

www . piriform . com / ccleaner / builds without any spaces.

Yes you can download it from Piriform, it is safe.

Okay read the instructions here https://support.mozilla.org/en-US/kb/restore-bookmarks-from-backup-or-move-them to backup and restore your Mozilla Firefox bookmarks.

Now please do a backup of your bookmarks and save the file to your Desktop or in a place where you can easily remember.

Then follow the instructions in post #11 and completely remove Mozilla Firefox by using Revo.

Go to C:\Program Files (x86) and delete also the folder Mozilla Firefox (if present).

Restart the computer.

Download a new Firefox Installer.exe from here, save it to your Desktop and reinstall the program.

Restore your bookmarks.

Test the new Firefox installation and let me know how it goes.

[Autumnleaves]

Hello Rui.

Thanks for all your help.  I did the uninstall and new install of Mozilla Firefox and it seems to be working better now.

I used to also get appcrash messages for various programs, especially for Internet Explorer for various reasons and for the printer as well.

Now, when I am not doing anything related to printing and am just working with the Mozilla Firefox browser I get a message that says:

"Printer Device has stopped working".  I can attach this message which I saved in a word document. 

Also, I haven't tried to get into some more secure sites yet, like email and some others.  I think I want to be sure it is safe.

Last time when I ran the cleaners and Eset found the bundled Google D Toolbar,  I clicked the "Clean" button.  It seems that Ccleaner is still on my computer.  Would it be a good idea to load that other version (supposedly without a toolbar) from Piriform, or did the Eset take care of the Google D Toolbar problem?  I ran Eset again and the scan came up clean.

The JRT found and deleted some files.  It picked something up the last time I ran it also.  I'm attaching that too.

Is there something I should do about this or do you have any other recommendations?

Thank you.

Autumnleaves

JRT-nov4.txt

Printer Device Monitor has stopped working Problem signature.docx

[Android8888]

Hello Autumnleaves.

On 05/11/2017 at 6:30 AM, Autumnleaves said:

Last time when I ran the cleaners and Eset found the bundled Google D Toolbar,  I clicked the "Clean" button.

Yes ESET removed the three bundled files of CCleaner and if the result of the last scan that you performed on your own was clean, then you don't need to worry about it anymore.

 

On 05/11/2017 at 6:30 AM, Autumnleaves said:

The JRT found and deleted some files.  It picked something up the last time I ran it also.  I'm attaching that too.

The files that JRT found and removed were temporary Internet files. That's okay. You don't need to worry about it.

 

On 05/11/2017 at 6:30 AM, Autumnleaves said:

I used to also get appcrash messages for various programs, especially for Internet Explorer for various reasons and for the printer as well.

The crash seems to be related to this program Dell V520 Series Uninstaller.

Please go to this Diagnostic tool from Dell http://www.dell.com/support/home/us/en/19/quicktest?~ck=mn and run the test to check for hardware issues.
Then go here http://www.dell.com/support/home/us/en/19?app=drivers&~ck=mn and update your printer drivers and check if the problem persists.

 

At this point your computer is clean and free of malware.

 

Now I suggest you run a program like Personal Software Inspector (PSI) or FileHippo Update Checker to see what programs need to be updated. Outdated programs contains security vulnerabilities that are exploited by malware in order to infect the computer without the user's knowledge. Usually this is one of the ways that more contributes to the infection of your computer.

After doing that you can now remove the tools we used in this clean-up by running DelFix.

Follow the instructions below to download and execute DelFix.

• Download DelFix and move the executable to your Desktop;
• Right-click on DelFix.exe and select Run as Administrator;
• Check the following options :
  
  • Activate UAC (this option will activate the User Account Control feature).
  • Remove disinfection tools (this option will remove the tools used in the cleaning process).
  • Create registry backup (this option will create a backup from the Windows Registry).
  • Purge system restore (this option will remove all previous and possibly infected restore points, and will create a new and clean restore point of your system).
  • Reset system settings (this option will reset any system settings back to default that were changed either by us during cleansing or by malware infection).
    
• Once the options mentioned above are checked, click on Run;
• After DelFix is done running, a log will open. I don't need to see the log file. Close and delete it.
  

You can also delete the files and logs that DelFix cannot remove.

 

To help keep malware off your system below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please consider using these ideas to help secure your computer.

Keep your Windows Operating System up-to-date.

Keep your AntiVirus program up-to-date.

Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

Keep Malwarebytes Anti-Malware (MBAM) update and perform a regular scan to your system as it will make it harder for malware to reside on your computer.
A tutorial on using MBAM can be found here and a complete guide here

Please Note: Only the paid for version has real time capabilities. Please go here and scroll down to find a comparison list of the two versions.

A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster, available here

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure.

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Another most feared threat at the moment is an infection by a Ransomware. A Ransomware infection is a program that ransoms the data or functionality of your computer until you perform an action. This action is typically to pay a ransom in the form of Bitcoins or another payment method. I advise you to read more info on this terrible threat here and here.

Please keep your programs up to date. This applies to most of the programs and all your Internet Browsers in particular. Vulnerabilities in the programs are often exploited in order to install malware on your PC.

Be careful with flash drives, as they can spread infections. See this post on USB/flash drive safety.

Stay away from P2P software; even with a clean P2P program, their networks are often riddled with malware.

Don't click on attachments or links in e-mail, and read your e-mail in text-only mode for the highest safety.

Don't click on links received in instant message programs.

A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available here

For much more useful and complete information, please read the following links to fully understand PC Security and Best Practices:
So how did I get infected in the first place
Answers to common security questions - Best Practices

Hopefully these steps will help to keep you error and malware free. If you run into more difficulty, we will certainly do what we can to help.

Are there any remain issues or can we close this topic?

Android8888

[Autumnleaves]

Hello Android8888.

I've been trying to finish up this topic with my computer.  But the other day I noticed google chrome had been loaded onto my computer along with a google toolbar and an avast free virus which needed to be installed.  I also loaded the Filehippo to check on whether programs are updated.

Today Malwarebytes kept blocking a 255.255.255.255 site with a Portal of 68.  I deleted the Avast along with the google chrome, and toolbar.  The extension coming up on the reports is .json.  There was also a problem when I tried to update Ccleaner the first time.  I don't know if those things were installed when I tried to update Ccleaner again after that.  I'd like to remove the Filehippo program also.  For now I've uninstalled it, but there are still files there.  The blocked files were in C:\Window\System32\svchost.exe files.

Also, when my computer was scanning for viruses I noticed files under the address above with the word Wow stuck in between things like maybe sysWOWtem.  Is this normal.  It doesn't seem so.  I also haven't gotten to removing the tools we used yet because some files that Filehippo said needed to be updated couldn't be updated.  When it tried to it didn't work, they might not all be supported still.  I manually searched for some updates to some of the programs because it loaded a trial version of Cyberlink Power DVD to update one of my files.  I have a file called Old Firefox files which probably should just be deleted maybe?  I will attach a copy of one of the blocked sites too.

Thank you again for all your help. 

Autumnleaves

block 1.txt

[Autumnleaves]

Hello Android8888.

After running some of the tools again, this is what the JRT scan found.

And this is what the Eset scan found.

JRT-nov20.txt

noveset20.txt

[Android8888]

Hello Autumnleaves and welcome back!

Okay, I will try to answer your questions.

After running some of the tools again, this is what the JRT scan found. And this is what the Eset scan found.

What JRT found were some temporary Internet files and two Registry Keys not needed. You don't need to worry about it. Concerning ESET, it may be a false positive as it appears ESET is detecting the Win32/Bundled.Toolbar.Google.D in CCleaner, a popular utility program. ESET has an option to scan for low-level threats such as bundled options in installers. Usually you have to check the box for PUP (Potentially Unwanted Programs) on ESET before scanning in order to find this type of items. So the default is for ESET Online Scanner not to bother with them. Besides, a PUP is not considered malware by itself.

Today Malwarebytes kept blocking a 255.255.255.255 site with a Portal of 68.

Concerning the Malwarebytes blocking issue, please update your Data Base version by running an update. Then restart the computer and let me know if the problem persists.

The extension coming up on the reports is .json.

JSON is a short for JavaScript Object Notation, and is a way to store information in an organized, easy-to-access manner, for example in a structure of a file like the log file. Nothing to worry about it.

I'd like to remove the Filehippo program also.  For now I've uninstalled it, but there are still files there.

Please re-install the program and remove it using RevoUninstaller Portable to remove all the leftovers (files, folders).

Also, when my computer was scanning for viruses I noticed files under the address above with the word Wow stuck in between things like maybe sysWOWtem.  Is this normal.  It doesn't seem so.

SysWOW64 is a special folder that only exist on 64-bit Windows and it is intended to store 32-bit binary files. In the folder name there is the "strange" character combination WOW64 included. WOW64 is a shortening for ”Windows on Windows 64-bit” (can be read as "Windows 32-bit on Windows 64-bit"). It's a emulator that allows 32-bit Windows-based applications to run seamlessly on 64-bit Windows. A compatibility layer is used as an interface between the 32-bit program and the 64-bit operating system. So this folder and the files it contains are legit.

I have a file called Old Firefox files which probably should just be deleted maybe?

This is your Firefox profile backup. It was created when you reset Firefox to default settings. Most likely you don't need it, but you can use it as a back up if you wish, although it is very unlikely that you will need or want it.

What is the state of the computer at this point? Is it running well? Any issues?

Thank you.

Rui

[Autumnleaves]

Hello Rui.

Thanks for the information.  When I tried to use the FileHippo program to update my computer programs, it installed a trial version of CyberLink PowerDVD 17 instead of checking for updates to what I already had, which is an older version, which I didn't realize at the time.  Anyway, every time I would open a photo or jpg on my computer, it would suddenly open with the cyberlink power dvd17 program with a black border on it.  I also noticed when I tried to remove FileHippo from my computer that it didn't entirely do so. There was a folder under My Documents which held applications that FileHippo had updated - I think it was Java, a windows updater or something and the Cyberlink. 

I updated the original Cyberlink I had.  I just uninstalled the Cyberlink PowerDVD 17 because I don't know why it does that with every one of my pictures and jpgs.  Now when I try to open my jpgs and photos it says Windows doesn't know how to open this file, because I guess the Cyberlink program or Filehippo changed the default for opening things to their program, and now they won't open.  Filehippo also added folders for Cybercloud and filehippo under My Documents and My Pictures and other places.  Is there a way to fix all of this and get rid of the FileHippo things?  I've searched for some things, and deleted some folders and some of what FileHippo installed.  Please advise as soon as possible.  I'm also still getting popups from Cyberlink PowerDVD about Black Friday sales, so something about that isn't uninstalled.

RevoUninstaller didn't remove all of FileHippo and it seems that my computer isn't as secure with these programs, less privacy maybe?

Thank you for your help.  I hope to hear from you soon.

Autumnleaves

 

[Android8888]

Hello Autumnleaves.

I apologize for the delay.

You can uncheck the Beta updates option in Filehippo.
From what I understand I presume that you uninstalled Filehippo and CyberLink PowerDVD. Did you removed them through Programs and Features from Windows or with Revo Uninstaller? Revo is a best choice as it deeply search for leftovers so nothing should be left.

Now, please read the information in the following link and see if it can help you in setting up and associate a file type with the program that you already used before to open your image files (photos).
https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs

Next re-run FRST with Administrator privileges, perform a new scan and when finished attach the new set of logs (FRST.txt and Addition.txt) for my review.

How are the popups coming from? Do the appear suddenly when the browsers are closed or do the appear when you are navigating on the Internet?

Thank you.

Rui

[Autumnleaves]

Hello Rui.

I apologize for my delay as well. 

I believe I tried to remove Filehippo through Revo Uninstaller but it didn't remove any remnants or leftovers.  I have a CyberLink Power DVD folder which may contain too many other folders.  I think I tried to do that manually because I had the original program which came with my computer which I updated,  and the other trial program, which I tried to get rid of.  That trial program was, I believe, the reason for Cyberlink popups.  I also get popups on other websites, usually to sign up for a newsletter by giving my email address.

I read about the change default programs and figured out how to display most of my files.

Lately I have been getting messages like, SuperAntiSpyware is no longer working in real time.  When I click on Malwarebytes I get the message I am attaching for you to see.  Also got the message that Microsoft Security Essentials couldn't connect to the files to update.

Malwarebytes has also been blocking websites.  I can attach copies of that.  I ran Eset and it removed a google toolbar.  Attaching a copy.

 

Addition.txt

eset dec202017.txt

FRST.txt

maldec132017.txt

maldec192017.txt

[Autumnleaves]

Hello again, Rui.

I was using Mozilla Firefox earlier and a red screen, which was in the Mozilla browser,  came up saying that my computer is infected with a virus.  The screen said Mozilla also.  It said my computer is infected with a virus and  please call the number on the screen, which I didn't have the chance to copy down.  It said not to do any online shopping or anything.  I couldn't close the browser so I turned the power completely off.  I need to know if my computer could have a virus, spyware, malware.  Please let me know as soon as possible.  Could it be that Mozilla has a problem?  Is it safe to use my computer?

I also have some JRT reports if you wanted to see them.

Thanks.

Autumnleaves